Golden Ticket
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
A Golden Ticket attack consist on the creation of a legitimate Ticket Granting Ticket (TGT) impersonating any user through the use of the NTLM hash of the Active Directory (AD) krbtgt account. This technique is particularly advantageous because it enables access to any service or machine within the domain as the impersonated user. It's crucial to remember that the krbtgt account's credentials are never automatically updated.
To acquire the NTLM hash of the krbtgt account, various methods can be employed. It can be extracted from the Local Security Authority Subsystem Service (LSASS) process or the NT Directory Services (NTDS.dit) file located on any Domain Controller (DC) within the domain. Furthermore, executing a DCsync attack is another strategy to obtain this NTLM hash, which can be performed using tools such as the lsadump::dcsync module in Mimikatz or the secretsdump.py script by Impacket. It's important to underscore that to undertake these operations, domain admin privileges or a similar level of access is typically required.
Although the NTLM hash serves as a viable method for this purpose, it is strongly recommended to forge tickets using the Advanced Encryption Standard (AES) Kerberos keys (AES128 and AES256) for operational security reasons.
Once you have the golden Ticket injected, you can access the shared files (C$), and execute services and WMI, so you could use psexec or wmiexec to obtain a shell (looks like yo can not get a shell via winrm).
The most frequent ways to detect a golden ticket are by inspecting Kerberos traffic on the wire. By default, Mimikatz signs the TGT for 10 years, which will stand out as anomalous in subsequent TGS requests made with it.
Lifetime : 3/11/2021 12:39:57 PM ; 3/9/2031 12:39:57 PM ; 3/9/2031 12:39:57 PM
Use the /startoffset
, /endin
and /renewmax
parameters to control the start offset, duration and the maximum renewals (all in minutes).
Unfortunately, the TGT's lifetime is not logged in 4769's, so you won't find this information in the Windows event logs. However, what you can correlate is seeing 4769's without a prior 4768. It's not possible to request a TGS without a TGT, and if there is no record of a TGT being issued, we can infer that it was forged offline.
In order to bypass this detection check the diamond tickets:
4624: Account Logon
4672: Admin Logon
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List –Property
Other little tricks defenders can do is alert on 4769's for sensitive users such as the default domain administrator account.
[https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets] (https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets)
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)